The General Data Protection Regulation is a new EU regulatory regime coming into effect in May 2018. The UK has signed up to the GDPR and will continue to implement it despite Brexit.

What are the main issues for companies with GDPR?

There are many areas that businesses must focus on to prepare themselves for this change.

Some of the key issues that businesses need to consider are:

Identify personal data – note and control all data that might be used to identify an individual.

Ensure valid consent from customers – organisations will need to prove clear and valid consent for the purpose for which the data is being gathered and not change that purpose without gaining further consent. Organisations will need to be able to easily show what data has been collected and the consents gained for its use.

Users must explicitly accept privacy statements. Any amends to the privacy statements could mean gaining consent all over again. One resulting challenge is the management of privacy statements and being able to view which users have accepted which specific statements.

An end-to-end audit trail of where the contact came from, what happened to the data in your system, and where is it being exported to.

Confirm whether you need to appoint a Data Protection Officer – it is likely that any organisation that, as part of its activities, depends on processing large volumes of personal data will need to appoint a DPO.

Consider Privacy Impact Assessments – assessments will need to be carried out where privacy breaches are high. So, if a project is likely to impact on processing activities then an impact assessment will need to be undertaken.

The right to be forgotten – individuals can request for their data to be removed and organisations cannot hold data for longer than necessary.

Privacy by design – data must be permanently deleted where requested, with no copies held.

For more background on how to prepare for GDPR, read this paper from the Information Commissioner’s Office, 12 steps to take now.

Personal data is information relating to a person, where that person can be identified by using a piece of data, such as a name, email address etc – even an IP address or mobile number can now be classed personal data.

Is a name and address personal data under GDPR?

A common name, Robert Jones, on its own may not be personal data. However, if presented along with other data, such as an address or date of birth, then it would constitute personal data. Unusual names may, on their own, constitute personal data.

What is sensitive personal data?

Sensitive data is data that, if misused, might cause harm to an individual. This includes information about race or ethnic origin. Genetic and biometric data are also included, if it can be used to identify an individual.

Pseudonymous data is personally identifiable data that has been subjected to encryption. It still falls under the GDPR, but some of the rules are relaxed, in particular the notification of data breaches.

What is a Data Protection Impact Assessment?

A DPIA is an assessment that must be carried out every time you make a change to a system which may affect contact data. Using cloud-hosted software generally offloads this responsibility and reduces the need for you to produce a DPIA every time a change is made to the system. This is subject to what is being changed and the configurability of the cloud software.

What is a data controller under GDPR?

The data controller is the person, company or organisation who decides how and what processing is undertaken.

What is a data processor under GDPR?

A processor is a person, entity or company who carries out the processing of data, and processing means any operation on the data (e.g., collect, record, retrieve, organise etc) whether automated or not.